The s6-sudoc program

s6-sudoc talks to a peer s6-sudod
program over a Unix socket, passing it command-line arguments, environment
variables and standard descriptors.

Interface

s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]

s6-sudoc transmits its standard input, standard output and standard error
via fd-passing over a Unix socket that must be open on its descriptors 6 and 7.
It expects a s6-sudod process to be receiving them
on the other side.

It also transmits its command-line arguments args, and also its
environment by default. Note that s6-sudod will not necessarily accept all the
environment variables that s6-sudoc tries to transmit.

s6-sudoc waits for the server program run by s6-sudod to finish. It exits
the same exit code as the server program. If the server program is killed by a
signal, s6-sudoc kills itself with the same signal.

Options

-e : do not attempt to transmit any environment variables
to s6-sudod.

-t timeoutconn : if s6-sudod has not
managed to process the given information and start the server program after
timeoutconn milliseconds, give up. By default, timeoutconn
is 0, meaning infinite. Note that there is no reason to set up a nonzero
timeoutconn with a large value: s6-sudod is not supposed to block.
The option is only there to protect against ill-written services.

-T timeoutrun : if the server program
has not exited after timeoutrun milliseconds, give up. By
default, timeoutrun is 0, meaning infinite.

Notes

If s6-sudoc is killed, or exits after timeoutrun milliseconds,
while the server program is still running, s6-sudod will send a SIGTERM and a
SIGCONT to the server program - but this does not guarantee that it will die.
If the server program keeps running, it might still read from the file that
was s6-sudoc's stdin, or write to the files that were s6-sudoc's stdout or
stderr. This is a potential security risk.
Administrators should audit their server programs to make sure this does not
happen.

More generally, anything using signals or terminals will not be
handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism
was designed to allow programs to gain privileges in specific situations:
short-lived, simple, noninteractive processes. It was not designed to emulate
the full suid functionality and will not go out of its way to do so.